I finished several online courses last week on the subject of computer application security and how to properly handle sensitive cardholder data. Very interesting!
The courses were offered through Security Innovation, a company that specializes in cybersecurity standards, education, and assessment.
PCI DSS stands for Payment Card Industry Data Security Standard. These are some common security standards put together by the PCI Security Standards Council, which was formed in 2004 by the large credit card companies: Visa, MasterCard, American Express, Discover, and JCB.
I completed the following courses, offered together in a PCI Developer bundle:
COD 222 – PCI DSS v3.2 Best Practices for Developers
DES 221 – OWASP Top 10 – Threats and Mitigations
ENG 301 – How to Create an Application Security Threat Model
ENG 312 – How to Perform a Security Code Review
Some basic take-aways:
- build security into an application from the requirements / architecture stage: the very beginning!
- create a detailed security threat model to identify all security threats and then define appropriate mitigations
- when transmitting data over an untrusted network, always encrypt data with strong cryptography
- do not store cardholder data unless absolutely necessary!
- validate / sanitize all user input!